The FBI and CISA issued an emergency warning that the Python malware does not spare corporate secrets.
Attackers use vulnerabilities that have been known for several years to deploy the Androxgh0st malware and create a botnet to steal credentials in the cloud. This was reported by the Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Protection Agency (CISA).
In a joint warning issued on January 16 , the agencies said the Python malware primarily targets ".env " files containing user credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.
In addition to scanning and exploiting stolen credentials, Androxgh0st can also be used to deploy web shells, execute code remotely, steal sensitive data, and create new AWS users and instances.
As an example, if AWS credentials are successfully compromised on a vulnerable website, attackers try to create new users, as well as user policies. Androxgh0st operators are seen creating new AWS instances to perform additional scans.
The attackers behind the spread of Androxgh0st prefer three old vulnerabilities that have long been patched: CVE-2017-9841 (command injection vulnerability in PHPUnit), CVE-2018-15133 (insecure deserialization vulnerability in the Laravel web application that leads to remote code execution) and CVE-2021-41773 (vulnerability Apache HTTP Server path traversal, which also results in remote code execution).
CVE-2017-9841 allows you to remotely execute PHP code via a malicious HTTP POST request and download files to the system hosting the compromised website. Attackers can set up a fake page to provide a "back door" to the site, which allows them to download additional malicious files and gain access to databases.
The malware also scans Laravel websites where ".env" files are available, and sends GET or POST requests to steal credentials and tokens.
The third method, which exploits a vulnerability in Apache HTTP Server versions 2.4.49 or 2.4.50, allows you to conduct path-traversal attacks. Attackers scan URLs that are not protected by the "Request all denied" configuration and that do not have Common Gateway Interface (CGI) scripts enabled. This is what allows remote code execution attacks.
The security alert issued by the agencies also lists signs of Androxgh0st being compromised. The FBI and CISA offer several measures to reduce the risk of infection.
One tactic is to make sure that Apache servers are not running vulnerable versions 2.4.49 or 2.4.50. It is also important to check that the default configuration for all URLs prohibits any requests if there are no legitimate grounds for access.
In addition, we recommend that you regularly review platforms and services that list credentials in". env " files and check them for unauthorized use.
Well, the last recommendation, as always, will be a timely update of the operating systems used, device firmware and other software, however, as you can see from the operation of long-known vulnerabilities, few people apply this recommendation in practice.
Attackers use vulnerabilities that have been known for several years to deploy the Androxgh0st malware and create a botnet to steal credentials in the cloud. This was reported by the Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Protection Agency (CISA).
In a joint warning issued on January 16 , the agencies said the Python malware primarily targets ".env " files containing user credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.
In addition to scanning and exploiting stolen credentials, Androxgh0st can also be used to deploy web shells, execute code remotely, steal sensitive data, and create new AWS users and instances.
As an example, if AWS credentials are successfully compromised on a vulnerable website, attackers try to create new users, as well as user policies. Androxgh0st operators are seen creating new AWS instances to perform additional scans.
The attackers behind the spread of Androxgh0st prefer three old vulnerabilities that have long been patched: CVE-2017-9841 (command injection vulnerability in PHPUnit), CVE-2018-15133 (insecure deserialization vulnerability in the Laravel web application that leads to remote code execution) and CVE-2021-41773 (vulnerability Apache HTTP Server path traversal, which also results in remote code execution).
CVE-2017-9841 allows you to remotely execute PHP code via a malicious HTTP POST request and download files to the system hosting the compromised website. Attackers can set up a fake page to provide a "back door" to the site, which allows them to download additional malicious files and gain access to databases.
The malware also scans Laravel websites where ".env" files are available, and sends GET or POST requests to steal credentials and tokens.
The third method, which exploits a vulnerability in Apache HTTP Server versions 2.4.49 or 2.4.50, allows you to conduct path-traversal attacks. Attackers scan URLs that are not protected by the "Request all denied" configuration and that do not have Common Gateway Interface (CGI) scripts enabled. This is what allows remote code execution attacks.
The security alert issued by the agencies also lists signs of Androxgh0st being compromised. The FBI and CISA offer several measures to reduce the risk of infection.
One tactic is to make sure that Apache servers are not running vulnerable versions 2.4.49 or 2.4.50. It is also important to check that the default configuration for all URLs prohibits any requests if there are no legitimate grounds for access.
In addition, we recommend that you regularly review platforms and services that list credentials in". env " files and check them for unauthorized use.
Well, the last recommendation, as always, will be a timely update of the operating systems used, device firmware and other software, however, as you can see from the operation of long-known vulnerabilities, few people apply this recommendation in practice.
